When the Air Force showed up at the Defcon hacker conference in Las Vegas last month, it didn’t come empty-handed. It brought along an F-15 fighter-jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that it has decided to up the ante. Next year, it’s bringing a satellite.
That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. While sending elite hackers after an orbiting satellite—and its ground station—might sound ambitious, it’s in keeping with Roper’s commitment to fundamentally changing how his branch of the military attacks its cybersecurity challenges.
“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”
“What they’re going to do is try to take over the satellite by any means they find.”
Will Roper, Air Force
Software inevitably has bugs that could be exploited, whether in a smart microwave or a complex flight system. Roper knows this from experience: The Hack the Air Force initiative, a bug bounty that sprang from a partnership between HackerOne and the Pentagon’s Defense Digital Service, paid out $130,000 to hackers who collectively found over 120 vulnerabilities last December.
It was DDS that connected the Air Force to the organizers of Defcon’s Aviation Village, a corner of the hacking conference dedicated to all things aerial that debuted this year. There, a group of seven vetted hackers, under the USAF’s watchful eyes, attacked a Trusted Aircraft Information Download Station, which transfers data back and forth on an F-15. With the vulnerabilities they found, they could have shut it down. And that’s just one of the countless components that the Air Force sources. The Air Force has its own internal cybersecurity team, of course, but its resources are finite. It needs a little help.
“You would expect really high security procedures for the F-15, and it has them. But what about this humble data translator,” says Roper. “You might overlook it, but those kinds of things tend to be built by smaller companies. And you can imagine that smaller companies without the resources of a Lockheed Martin or Northrop Grumman or Boeing are not able to think about cyber resiliency and security at a level that can contend with a peer competitor like China.”
Once the Air Force sees what common security pitfalls plague its third-party parts, it can start writing stronger security requirements into its contracts. That hardens the entire supply chain—which in turn makes everyone’s aircraft more secure.
More still needs to be done, though, to address the opacity of the broader aviation community. Airplane parts are difficult for independent researchers to come by, and the big manufacturers have bristled at any suggestion that their products might have vulnerabilities like anything else that runs on millions of lines of code. It’s especially glaring at a time when similar tensions with the automotive and medical device communities have largely thawed, says Pete Cooper, director of the Aviation Village. “I couldn’t see the same collaboration in the aviation sector,” says Cooper. “There wasn’t really much in the way of productive and positive relationships in that area.”
Here’s how it’s going to work: Sometime soon, the Air Force will put out a call for submissions. Think you know how to hack a satellite or its ground station? Let them know. A select number of researchers whose pitches seem viable will be invited to try out their ideas during a “flat-sat” phase—essentially a test build comprising all the eventual components—six months before Defcon. That group will once again be culled; the Air Force will fly the winners out to Defcon for a live hacking competition.
“What we’re planning on doing is taking a satellite with a camera, have it pointing at the Earth, and then have the teams try to take over control of the camera gimbals and turn toward the moon,” says Roper. “So, a literal moon shot.”
Some specifics are still in the offing, like which satellite will be involved—regardless, it will likely be flying in low Earth orbit—how many teams will be selected in each round, and the size of the final cash award. But still, it’s not every day that you get to hack a celestial body, much less legally so.
“If you want to get into a satellite, you can either go through the ground station or you can try to find a way into the satellite directly, with your own emitter. We will have opportunities for contestants to do both,” says Roper. “But what they’re going to do is try to take over the satellite by any means they find.”
Security researchers will have to go through a vetting process; this is military equipment, after all. But ideally the opportunity is worth the hassle. And the earlier in the process the security community comes in, the better. “We want to hack in design, not after we’ve built,” says Roper. “The right place to do it is when that flat-sat equivalent exists for every system. Let the best and brightest come tear it up, because the vulnerabilities are less sensitive then. It’s not an operational system. It’s easier to fix. There’s no reason not to do it other than the historical fear that we have letting people external to the Air Force in.”
If the Air Force is willing to let people look under the hood, then maybe the commercial aerospace industry will as well. “What we’re trying to achieve is to help industry see that, actually, there is value in learning about potential risks, that good-faith research can be something really helpful,” says Cooper, who applauds the Air Force for its relative openness to the security community. “The difficulty is linking up those doing good-faith research with the actual risk-owner of the system.”
Sure, the satellite-hacking contest may be a bit of a public relations stunt. But it’s one with both practical value—it’ll make at least one satellite more secure—and relevance. Cooper says that space has become such a vital part of aircraft cybersecurity that the Aviation Village will next year be the Aerospace Village. And the event will also convey a critical message: The Air Force has cool toys, and it’ll let you break them. For the security community, that’s quite an olive branch.
And if satellites aren’t your thing? Don’t fret. Roper says he’s doing his best to bring an entire plane to Defcon. They’re just having a little trouble finding room.